pam_fprint is a simple PAM module which uses libfprint's fingerprint processing and verification functionality for authentication. In other words, instead of seeing a password prompt, you're asked to scan your fingerprint.

The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).

Contents

Prerequisites

First, make sure you have one of the supported finger scanners. You can check if your device is supported by checking this list of supported devices. To check which one you have, type

# lsusb

You need to install pam and libfprint.

# pacman -S pam libfprint

Installation

Some dependencies:

# pacman -S libusb imagemagick

Once you made sure your reader is supported, you are good to go

# yaourt -Sb pam_fprint-git

Because the package is outdated it wants you to have libusb1. A package with that name does not exist; it has been renamed to libusb, without the ending 1. Therefore, you must change that in the PKGBUILD file when it asks you. Make sure it looks like this:

depends=('libusb' 'imagemagick' 'libtool')

Configuration

Permissions

By default, only root has access to the device. You can create a signature from sudo, but then you can only use it for root user. The following solution from the Ubuntu forums may work for some people.

Login configuration

This tries to use fingerprint login first, and if if fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.

You can also modify other files in /etc/pam.d/ using the same method, for example /etc/pam.d/gdm for GNOME's fingerprint login or /etc/pam.d/polkit-1 for GNOME PolicyKit Authentication.

Create fingeprint signature

Now you should be able to run the program under a normal user. To see the usage, run

$ pam_fprint_enroll --help

Chose one of the fingers and run

$ pam_fprint_enroll -f #

You will be asked to scan the given finger 3 times. After that, the signature is created in your home directory.

Setup fingerprint-gui

An alternate fingerprint reader gui.
This works with libfprint-unstable which has support for the new Upeksonly readers, such as,
the new Thinkpad W510 T510 T410 T420 Upeksonly reader with USB ID 147e:2016

Add this to your ~/.bashrc file if you get an error saying that it can't connect to X desktop.

xhost + &>

Now run fingerprint-gui and register fingerprints for the current user. You will need to run fingerprint-gui and register fingerprints as all users you want to use the fingerprint reader, i.e. as root to use it for "su" login.